[squid-users] Use arp and time acls to control access
squid3 at treenet.co.nz
Tue May 10 13:32:40 UTC 2016
On 11/05/2016 12:53 a.m., TarotApprentice wrote:
> I'm trying to restrict internet access of certain devices to certain
> times of the day. My config looks like: acl devicename1 arp
> aa:bb:cc:dd:ee:ffacl devicename2 arp aa:bb:cc:ff:ee:ddacl usertime
> time MTWHF 06:30-08:00acl usertime time MTWHF 18:00-22:30 http_access
> allow devicename1 usertimehttp_access allow devicename2
> usertimehttp_access deny devicename
> I'm using squid 3.5.17 (the
> latest in Debian Stretch). The client devices are using the proxy in
> explicit mode. devicename1 and devicename2 currently are getting
> dynamic IP's but I can set the router up to give a static IPv4
> address and use that instead of the mac address.
> From reading the
> docs it seems arp (the mac address) isn't available if they use
Correct. Sort of. ARP does not exist in IPv6, but EUI does.
If your network uses SLAAC or DHCPv6 assignments based on the MAC /
EUI-64 then Squid can grab the EUI from the IPv6 address. The arp ACL
uses that for v6 clients when available.
Otherwise you will need static DHCPv6 assignments and src ACL.
> Also if they're using an https site it isn't going to work unless I
> start peeking.
Neither time nor arp types depend on TLS. So the ACLs should work okay
for what they do - just not ideal for what you want to achieve.
HTTPS without bumping just means that your ability to reject is at the
connection/tunnel level rather than individual requests. At present it
should be a reasonable approximation as most browsers dont send many
requests through before closing. That will change as HTTP/2 rollout
increases, since it is designed to maximize connection re-use.
> Is there a better way of restricting the access to the
> allowed times for both http and https traffic?
Not without bumping to get at the individual HTTPS requests.
More information about the squid-users